Troj/SXTB-A

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

Delete any unwanted dropped files.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft MSUPDATE = SpoolSvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft MSUPDATE = SpoolSvc.exe

and delete them if they exist.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1

and change it to:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 0

Close the registry editor.

Editing System.ini

At the taskbar, click Start|Run and type Sysedit. Bring System.ini to the front. In the 'shell=' line in the [Boot] section, search for any references to the file you deleted. Delete only that reference, not any other text.

Reboot your computer.

More Information

Summary
Action
More Information

Troj/SXTB-A is an IRC backdoor Trojan that has spreading capability.

Troj/SXTB-A copies itself into the Windows system folder as SpoolSvc.exe and into <Windows>\system32\cmst32.exe and creates the BAT file <Windows>\System32\runtime.bat.

The Trojan sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft MSUPDATE = SpoolSvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft MSUPDATE = SpoolSvc.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1

The Trojan may also change several other registry entries, delete EXE files from the startup folder and delete hidden shares.

Troj/SXTB-A logs onto a predefined IRC server and waits for backdoor commands. The spreading functionality of the Trojan can be activated by a backdoor command. When activated, the Trojan will attempt to copy itself into shares with filenames cmst32.exe and Svnet32.exe and set the following entry in the system.ini file on the remote machine:

[Boot]
Shell = explorer.exe Svnet32.exe

Troj/SXTB-A may also drop the following two EXE files:

<System>\ServDll32.exe
<System>\svhost32.exe

These EXE files are clean utilities and hence are not detected by this identity.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/SXTB-A

Summary

Action

More Information